NEWS: update news about systemd-udevd.service

author Lennart Poettering <lennart@poettering.net>

Mon, 19 Sep 2016 19:29:06 +0000 (21:29 +0200)

committer Djalal Harouni <tixxdz@opendz.org>

Sun, 25 Sep 2016 08:52:57 +0000 (10:52 +0200)
author Lennart Poettering <lennart@poettering.net>
Mon, 19 Sep 2016 19:29:06 +0000 (21:29 +0200)
committer Djalal Harouni <tixxdz@opendz.org>
Sun, 25 Sep 2016 08:52:57 +0000 (10:52 +0200)
diff --git a/NEWS b/NEWS

index 178ccf9b04337c011f7f9215a9ef98644bde0432..5f3f76df4f39be3aaff374d43ee661ab530422c4 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -137,6 +137,20 @@ CHANGES WITH 232 in spe
            $SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of
            individual namespaces.
  
+        * systemd-udevd.service is now run in a Seccomp-based sandbox that
+          prohibits access to AF_INET and AF_INET6 sockets and thus access to
+          the network. This might break code that runs from udev rules that
+          tries to talk to the network. Doing that is generally a bad idea and
+          unsafe due to a variety of reasons. It's also racy as device
+          management would race against network configuration. It is
+          recommended to rework such rules to use the SYSTEMD_WANTS property on
+          the relevant devices to pull in a proper systemd service (which can
+          be sandboxed differently and ordered correctly after the network
+          having come up). If that's not possible consider reverting this
+          sandboxing feature locally by removing the RestrictAddressFamilies=
+          setting from the systemd-udevd.service unit file, or adding AF_INET
+          and AF_INET6 to it.
+
  CHANGES WITH 231:
  
          * In service units the various ExecXYZ= settings have been extended
author	Lennart Poettering <lennart@poettering.net>
	Mon, 19 Sep 2016 19:29:06 +0000 (21:29 +0200)
committer	Djalal Harouni <tixxdz@opendz.org>
	Sun, 25 Sep 2016 08:52:57 +0000 (10:52 +0200)